Skip to content

security

Comprehensive technical reference for disabling Windows security components such as Microsoft Defender, Firewall, SmartScreen, Exploit Protection, and security notifications. Intended for malware analysis, reverse engineering, red team labs, and controlled test environments.

Disable Windows Defender (Real-Time Protection, Cloud, etc.)

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableScriptScanning $true
Set-MpPreference -DisableBlockAtFirstSeen $true
Set-MpPreference -MAPSReporting 0
Set-MpPreference -SubmitSamplesConsent 2

Verify security settings

Get-MpComputerStatus

Dump all security settings

Get-MpPreference

Disable Windows Defender via Registry (Persistent)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

Disable Windows Firewall (All Profiles)

netsh advfirewall set allprofiles state off

Verify firewall status

netsh advfirewall show allprofiles

Disable SmartScreen

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d Off /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f

Disable Windows Security Notifications

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f

Disable Automatic Sample Submission

Set-MpPreference -SubmitSamplesConsent 2

Disable Scheduled Defender Tasks

Get-ScheduledTask | Where-Object {$_.TaskName -like "*Defender*"} | Disable-ScheduledTask

Disable Exploit Protection (System-Wide)

Set-ProcessMitigation -System -Disable DEP,ASLR,SEHOP

Disable Windows Update (optional but often required)

Stop-Service wuauserv -Force
Set-Service wuauserv -StartupType Disabled

One-Shot “Lab Mode” Script (PowerShell)

# Disable Defender core protections
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableScriptScanning $true
Set-MpPreference -MAPSReporting 0
Set-MpPreference -SubmitSamplesConsent 2

# Disable Firewall
netsh advfirewall set allprofiles state off

# Stop services
Stop-Service WinDefend -Force
Set-Service WinDefend -StartupType Disabled
Stop-Service SecurityHealthService -Force
Set-Service SecurityHealthService -StartupType Disabled

# Disable tasks
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Defender*"} | Disable-ScheduledTask

Resource(s)